MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfa40c1b8552fd4db408ba6cc0d622c3fed256ca4e684e4277291332c45975fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

FormBook

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	cfa40c1b8552fd4db408ba6cc0d622c3fed256ca4e684e4277291332c45975fb
SHA3-384 hash:	9b42feda5a95b32836b33ffb2d76df09620b6f80bcebe35f330e1db482a7d955d7885e6b0e96800e96d252d6988babb9
SHA1 hash:	e9e7b04e1041dbb6cf2259b97ce2aa8dd284188a
MD5 hash:	cd66e413c50a749f566ef6fb784c8af1
humanhash:	bulldog-nitrogen-nevada-juliet
File name:	PO.exe
Download:	download sample
Signature	FormBook Create hunting rule
File size:	778'752 bytes
First seen:	2020-06-22 13:48:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7a3b36319e10a182a46078ebecd565ef (13 x AgentTesla, 4 x HawkEye, 4 x Loki)
ssdeep	12288:8GeRii6YfY4FBgEMo+3z9SFnbHhnmju5hbZaypylJBjByJBEtj5:NLLv4fH02bcjuPkypylJBjh
Threatray	5'371 similar samples on MalwareBazaar
TLSH	6FF48EE1E2D04C33CC2F163BCD7B5E77AC29BD10292869462BE5DC4C9E286DD7825297
Reporter	abuse_ch
Tags:	exe FormBook

abuse_ch

Malspam distributing FormBook:

HELO: gmail.com
Sending IP: 156.96.44.161
From: ART IMPEX GROUP LLP <sales@gmail.com>
Reply-To: fortunatodaniel.johndeere@gmail.com
Subject: RE: New Purchase Order
Attachment: PO.zip (contains "PO.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/12621/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Win32.Herz.B.7193.27524.UNOFFICIAL

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/cfa40c1b8552fd4db408ba6cc0d622c3fed256ca4e684e4277291332c45975fb/

Threat name:

Win32.Trojan.Swotter

Status:

Malicious

First seen:

2020-06-22 13:50:04 UTC

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6sayg4fkl6u3naixjwmbvrcyp7nevwkjzue4qtxfejtfrczox5q._file

Verdict:

malicious

Label(s):

netwirerc

FormBook

18b73eb77f7ab87787d413aa80258f45f7e70b93c2464166c459254e0a4d8a47

FormBook

1d1c9ee0b1adaa5a121fd70d332785395ad22538f9cdc7db44414c1604e28919

FormBook

38cafe26c2a04715f175182f36462f482bdbbcb1d875654b9ac1242c29f50b06

FormBook

54828c080b94bdbf7bc08ff7a3fc69fa5a91d1b067d2997af8ef60c0304b4aed

FormBook

693e62c2a77f9a854abde4a76ff075601db591e2007d198225385fc63965b719

FormBook

99ae2d3c813970e279188fa1fce92e70ac2ba63c03d2d04fd6f719d4953169c3

FormBook

b84f164b86250eaee07153f4665af8826f0e934ba80e505ae37ead324f53b971

FormBook

ba47cf38b9634cbe5fd3ae81f2f7cef3554b8f57f59501b9ea5fde8c73ff4a4e

FormBook

e58d299e799026f70c33649310efef0e2ccfa45514fa554dcc0f4eb9fbdf1cf2

FormBook

+ 5'361 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

persistence spyware evasion trojan stealer family:formbook

Link:

https://tria.ge/reports/200624-k5cye11hg6/

Behaviour

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Drops file in Program Files directory

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Reads user/profile data of web browsers

Deletes itself

Adds Run entry to policy start application

Formbook

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Formbook in memory
Reference:	internal research

Rule name:	win_formbook_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

4d8d961fdc0c0386064624eb260f6a6e

FormBook

exe cfa40c1b8552fd4db408ba6cc0d622c3fed256ca4e684e4277291332c45975fb

(this sample)

Dropped by

MD5 4d8d961fdc0c0386064624eb260f6a6e

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/12621/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample